Thursday, August 19, 2010

I came across this a couple of times recently so I figured I would blog about it. I've been working quite a bit on SharePoint 2010 projects, and usually I am called upon to do farm installs. I recommend that clients always do least privileged installs, so that means advising them on the accounts they need to create for their (dev/test/uat/prod farms) and best practices regarding those. Here is the list of accounts recommended for use on technet for a least privileged install.

Account

Purpose

Requirements

SQL Server service account

The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:

MSSQLSERVER

SQLSERVERAGENT

If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:

MSSQL$InstanceName

SQLAgent$InstanceName

Use either a Local System account or a domain user account.
If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).
The instance name is arbitrary and was created when Microsoft SQL Server was installed.

Setup user account

The Setup user account is used to run the following:

Setup

SharePoint Products Configuration Wizard

Domain user account.

Member of the Administrators group on each server on which Setup is run.

SQL Server login on the computer that runs SQL Server.

Member of the following SQL Server security roles:

securityadmin fixed server role

dbcreator fixed server role

If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm account or database access account

The server farm account is used to perform the following tasks:

Configure and manage the server farm.

Act as the application pool identity for the SharePoint Central Administration Web site.

Run the Microsoft SharePoint Foundation Workflow Timer Service.

Domain user account.

Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.
The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:

dbcreator fixed server role

securityadmin fixed server role

db_owner fixed database role for all SharePoint databases in the server farm

Ok, makes sense. So you login to the app server with the setup account, and install SharePoint. Then you do the same on one or more Web Servers. Now go back to the app server and run the Configuration Wizard and set up the farm and Central Admin. After some configuration (setting up services, the first site collection), you come back to the Web Servers and attempt to add them to the farm. The whole process goes smoothly and the Web Server connects to the farm. Great, now you go to the Servers in Farm page in Central Admin, and to your dismay the Web Server line item shows an error and that it needs upgrading.

What?? So you run the 'stsadm -o localupgradestatus' on the Web Server and it shows you as everything being ok. Hmm..

Resolution
The way I found to get around this is to remove the Web Server from the farm, then log off the Web Server. Log back on using the Server farm account, not the setup account. Now run the Configuration Wizard and add the Web Server back to the farm. This works well and now when you go to the 'Servers in Farm' page, everything looks good!